From a10f789d286d0f28c85488629cc92f5ab6ca8e00 Mon Sep 17 00:00:00 2001
From: David Zeuthen <zeuthen@google.com>
Date: Mon, 5 Oct 2015 17:04:39 -0400
Subject: [PATCH] Move update_engine policy to AOSP.

The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
---
 device.te        |  3 +++
 domain.te        |  4 ++--
 file_contexts    |  2 ++
 uncrypt.te       |  2 ++
 update_engine.te | 27 +++++++++++++++++++++++++++
 5 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 update_engine.te

diff --git a/device.te b/device.te
index b2f4f1d32..a120ba324 100644
--- a/device.te
+++ b/device.te
@@ -93,3 +93,6 @@ type swap_block_device, dev_type;
 # Assign this type to the partition specified by the encryptable=
 # mount option in your fstab file in the entry for userdata.
 type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+type misc_block_device, dev_type;
diff --git a/domain.te b/domain.te
index 164cad0af..7d13e3659 100644
--- a/domain.te
+++ b/domain.te
@@ -352,8 +352,8 @@ neverallow { domain -init } default_prop:property_service set;
 
 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
 
-# No domain other than recovery can write to system.
-neverallow { domain -recovery } system_block_device:blk_file write;
+# No domain other than recovery and update_engine can write to system partition(s).
+neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
 
 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
diff --git a/file_contexts b/file_contexts
index 42ed5ff2f..69a59548a 100644
--- a/file_contexts
+++ b/file_contexts
@@ -199,6 +199,7 @@
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/update_engine        u:object_r:update_engine_exec:s0
 
 #############################
 # Vendor files
@@ -274,6 +275,7 @@
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
 # Fingerprint data
diff --git a/uncrypt.te b/uncrypt.te
index 752124ddb..93f5a274f 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -27,6 +27,8 @@ set_prop(uncrypt, powerctl_prop)
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
 allow uncrypt block_device:blk_file w_file_perms;
+auditallow uncrypt block_device:blk_file w_file_perms;
+allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;
 
 # Access userdata block device.
diff --git a/update_engine.te b/update_engine.te
new file mode 100644
index 000000000..88b0b722f
--- /dev/null
+++ b/update_engine.te
@@ -0,0 +1,27 @@
+# Domain for update_engine daemon.
+type update_engine, domain;
+type update_engine_exec, exec_type, file_type;
+type update_engine_data_file, file_type, data_file_type;
+
+init_daemon_domain(update_engine);
+net_domain(update_engine);
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:capability { fowner sys_admin };
+allow update_engine kmsg_device:chr_file w_file_perms;
+wakelock_use(update_engine);
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir { create_dir_perms };
+allow update_engine update_engine_data_file:file { create_file_perms };
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine boot_block_device:blk_file rw_file_perms;
+allow update_engine system_block_device:blk_file rw_file_perms;
+
+# Don't allow kernel module loading, just silence the logs.
+dontaudit update_engine kernel:system module_request;
-- 
GitLab